This vulnerability is serious because it allows a possible Remote Code Execution when the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace. Further, it has a CVSS v3 base score of 9.8 (out of a possible 10)

Many organizations, including Pharos customers, are urgently investigating where this tool is used and to update/repair those instances.

Pharos Software and Apache Struts

Pharos has reviewed all our software and 3rd party tools/libraries that we use and can confirm that we do not use Apache Struts in any product. This includes:

Uniprint (including all web interfaces)

Blueprint (including all web interfaces)

Mobileprint

All Omega devices (including PS60, PS150, PS200)

All iMFP implementations across all manufacturers

Beacon – both the desktop components and the cloud infrastructure

Kiosks

Pharos products are therefore not vulnerable to the Apache Struts exploit.